Your account will be closed in 24h!

Yahoo phishing

Thursday night and checking Facebook on my mobile before going to sleep. One of my friends is complaining about how hard it is to use Yahoo mail abroad. Problem logging in and now there’s some problem with the account. “Your E-mail account has exceeded its limit and needs to be verified, if not verified within 24 hours, we shall suspend your account. Click Here to verify your email account now.” And when you try to resolve it, it doesn’t even work. You just end up on the login page! Damn Yahoo!

Stop! This message is not about a problem with the mail system, it’s a very typical phishing mail. I responded with a warning, and yes, the link had indeed been clicked and the credentials entered on a page that looked like the Yahoo login page. That made my friend a phishing victim like so many other Internet users. It was the beginning of a long night trying to figure out how to change the mail password using a tiny mobile screen. But the case came to a happy end. The password was apparently changed before the attackers had a chance to take benefit from the account, thanks to the swift reaction.

How to spot a phishing attempt?

  • It arrives as a mail message. Mail can be sent by anyone and it is trivial to spoof the sender’s address so that it seems to come from your mail operator or some other company you trust.
  • People think less when they are afraid so it tries to create a sense of danger. Something bad will happen unless you react. The closure of your account is a very common threat when phishing for e-mail accounts.
  • People think less when in a hurry so it tries to create a sense of urgency. You need to act right now. This lowers the risk that the victim checks out the facts first. The 24h deadline is a typical trick to achieve this.
  • It links to a web page that looks like an official page of, for example,  your mail operator. But it is actually controlled by the attacker, who also receives any information you enter. You are hacked if you enter your mail user name and password, or other valuable information.

My friend is not a computer newbie, and did in theory know all this. But the attack succeeded anyway. How is this possible? Imagine that it is late in the night and you are tired. There are other people distracting you. You are traveling and really depending on your mail account. And on top of that, you have had problems and expect even more trouble with this operator. So this is a very typical situation where the fingers can be faster than the brains. This is really the optimal situation for an attacker to hit, and they happened to send this phishing mail at the right wrong time.  Honestly, are you sure this couldn’t happen to you?

Ok, so what should I do to avoid being phished?

  • First of all, do not click links in mails! This is not just about phishing, many get malware too by clicking links. But there are also legitimate links that friends send to you. So you should always think about who the sender is (remember, the apparent sender can be spoofed), in what style and language the message is written, what the claimed content of the link is and how does all this fit together? To summarize, do I expect this kind of message from this person (or company) at this time? This way you should be able to spot the legit links.
  • If in doubt, check what address the link is taking you to before you click. Note that the text forming the visible part of the link may look like a web URL but still be linked to a totally different address. Hover the mouse pointer over the link and examine the address that the mail client or browser shows you. Make sure that the address match the company or site that the link is claimed to point to. For example: The login to Gmail should start with “https://accounts.google.com/” but a phishing site targeting Gmail may use an address like “http://accounts.google.com.etw368hj.nu/”. The latter does NOT belong to Gmail.
  • Get familiar with the login URLs of your favorite services BEFORE you run into a phishing mail. Then it is a lot easier to spot the spoof. The address may look long and nerdy, but you only need to mind the part after the double-slash “//” but before the first single slash. That part identifies the server that you will access. (Your browser may show the address without the initial “http://”, in that case just examine the part before the first slash.)
  • Get familiar with the concept of secured web pages and how to recognize them. Login pages of important services are typically protected this way. Their addresses start with “https://” instead of “http://” and your browser shows a lock or similar symbol next to the address field. You can examine the certificate of the server you are connected to by clicking the lock, and this is reasonable hard proof about who’s running the service. Needless to say, the phishing sites can’t duplicate these cryptographic certificates.
  • If you suspect that there really may be a problem with your mail account, then log in with the link that you normally use to access the account. Do not use a link in a mail message. Look for info banners and pop-up messages shown in the browser after you have logged in. These messages are a lot more reliable and can generally be trusted. Mail operators are well aware of the phishing threat. If you get a mail claiming that there’s a problem, then you can be pretty sure that it isn’t true. The mail operators do not communicate in that way.
  • If you still fall for the scam, attempt to change your password right away. This is also a good time to think about if you have used the same password on other services. Say that john.doe@gmail.com is using the same password as john.doe@hotmail.com. If one get hacked, then the hacker just need to try some of the common mail services to get access to more accounts. This would be a good time to brush up your password practices.

As a practice, examine the link above and try to figure out where it points and what company it belongs to without clicking it.

Safe surfing,
Micke

Phishing @ Wikipedia.

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

More posts from this topic

Sports Cartoon

3 Easy Steps to Stream your Favorite Sports Events, Wherever you are

It’s going to be a busy month for sports lovers from all corners of the world. Hockey fans are currently being treated to both the NHL playoffs and the IIHF world cup, and the coming month will see things like the Champions League final, the US Masters, the NBA playoffs, and to top it all off, the European Championships in football. This presents a problem for many of us. Particularly during the summer, we travel a lot and just might be unable to find a TV screen showing our favorite events. So does this mean we have to miss Kevin Durant sink yet another 3-pointer or be content with next-day highlights of the CL final between Real and Atletico? Thankfully not! The internet allows us to stream games online and watch your favorite matches anywhere, whether at home or under a beach umbrella. Unfortunately, your excitement can often be hindered by messages like “Sorry, this content is unavailable in your country.” This is known as geo-blocking, where the services check your IP address (the unique address of your device) and only allow access if it is located in a specific country. The obvious solution then is to change your IP address to a country where you can access the service. And the easiest and quickest way to do this is with a VPN. How Freedome VPN works The way VPNs work is very simple. Instead of connecting to the internet directly, a VPN first directs your traffic into a secure and private tunnel. The rest of the web won’t see where your traffic enters the tunnel, making your real location and IP address hidden. A VPN like Freedome also lets you choose where the other end of that tunnel is, and THIS determines where any website will think you are. Pretending to be virtually in another country is that simple! How to use Freedome VPN to stream sports Follow these simple instructions to watch your favorite sports live everywhere! Download and install Freedome VPN In the Freedome app, tap the location at the bottom of the screen, and choose your home country where the stream you want to see is available Navigate to the website of the streaming service or search for a legal live stream of the sports event online If on a mobile device, remember to turn “location” off, as some websites use this as an additional method of pinpointing your location It’s as simple as that! More about Freedome VPN Freedome is a hybrid VPN, available for both mobile and desktop platforms. In addition to letting users access content restricted to other countries, it protects your anonymity from websites you visit, and prevents even your internet service provider from snooping on your online activities. There are even a few features lacking in other VPN products, such as automatic blocking of intrusive tracking by advertisers, and protection from malicious websites. Get Freedome from our website to enjoy unrestricted access to the internet while protecting your privacy on the side!

May 16, 2016
BY 
5588953445_51dcf922aa_o_crop

Why are Android bugs so serious?

Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios.   Safe surfing, Micke     Photo by etnyk under CC

March 18, 2016
BY 
Tracker Mapper

Want to Pwn Internet Trackers? Here’s How

A recent PEW report says that 86 percent of people have taken action to avoid online surveillance, including simple things like clearing their browser cache, as well as using more effective methods, such as using a VPN (virtual private network). The same report says that 61 percent of participants indicated that they’d like to do more. Many people understand their privacy is at risk when they do things online, and want to do something about it. But that’s easier said than done. Not only do you have to have the will to make it happen, but you have to know where to start. Who do you want to protect your privacy from anyway? Facebook? The NSA? Nosey neighbors? PEW’s report says that 91 percent of people agree or strongly agree that consumers have lost control over personal information that is collected and used by companies. So if you want to take this control back, the first thing you need to do is figure out who’s stalking you online. F-Secure’s Freedome VPN, which you can try for free, has baked-in tracking protection technologies to help people protect their privacy while they’re surfing online. It also has Tracker Mapper – a feature that people can use to control how they expose themselves to Internet trackers. Tracker Mapper has been available for Macs and Windows PCs for about half a year, and was just launched for Freedome’s Android and iOS apps. So how does using Tracker Mapper help you control your online privacy? Here’s our Chief Research Officer, Mikko Hyppönen, talking about how online tracking threatens people’s privacy, and how Freedome (and Tracker Mapper) can help people protect themselves. [youtube=https://www.youtube.com/watch?v=X1F8sHjCBx0&w=560&h=315] I ran a little experiment to help me learn how to limit my exposure to trackers while planning a vacation. I used Alexa to help me find some popular travel websites that I could use to shop for deals on hotels. After that, I turned on Tracker Mapper (which is turned off by default, because we respect the fact that people don’t want apps to create logs without permission) so I could find out which of these websites used the most tracking to study me as I used their site. I chose 5 of the more popular sites, and then I spent about 10 minutes on each, and left a bit of extra time so I could check out the results in between. The whole thing took me about an hour, giving me a one-hour log of the tracking attempts Freedome blocked while I browsed these sites. Tracker Mapper creates an interactive visualization of the blocked tracking attempts, and gives you information on what trackers attempted to monitor you on different websites. It also shows how these trackers link together to create a network capable of monitoring you as you navigate from website to website. These are screenshots showing how Tracker Mapper visualizes online tracking, as well some of the statistics it provides. The capture on the left shows the entire overview of the session (which lasted exactly one hour). The shot in the middle shows the sites I visited ordered by the most tracking attempts. The capture on the right shows the actual trackers that attempted to track me during my session, ordered by the number of blocked attempts. Based on this, Trip Advisor appears to have made the most tracking attempts. But you can learn even more about this by combining Tracker Mapper with a bit of online digging. You can tap on the different “bubbles” in Tracker Mapper to pull up statistics about different websites and tracking services. The first screen capture shows how many tracking attempts from different services were blocked when I visited Trip Advisor. The next two show the most prominent tracking services Freedome blocked – the tracker that TripAdvisor has integrated into its website (www.tripadvisor.com), and a tracking tag from Scorecard Research (b.scorecardresearch.com). As you might have guessed, TripAdvisor’s own tracking service is only used on their website (it’s what’s called “first-party tracking”). That’s why Tracker Mapper doesn’t show any connections between it and other websites. The second one, Scorecard Research, is used on both Trip Advisor and Lonely Planet. That’s why there are lines connecting it with both (it’s what’s called “third-party tracking”). Scorecard research is a marketing research firm that provides tracking and analytic services by having websites host their “tags”, which collect information about those website’s visitors. The Guardian has an excellent write-up about Scorecard Research, but what’s missing from the Guardian story is that you can opt-out of Scorecard Research’s tracking. Basically, they put a cookie on your browser, which isn’t an uncommon way for tracking companies to allow web surfers to protect their privacy (and oddly enough, a common way for them to track you). Stripping trackers out of websites lets people take control of who’s monitoring what they do online. PEW’s survey found that this idea of control is central to people’s concerns about online privacy - 74 percent of respondents said it’s important to control who can get information, and 65 percent said its important to control what information is collected. However, opting out of every tracking service (and for every browser you use) by installing opt-out cookies isn’t as convenient as using Freedome. And as F-Secure Security Advisor Sean Sullivan pointed out in this blog post, it actually works much better for your browsing (one experiment found that Freedome can reduce the time it takes to load web pages by about 30 percent, and decrease data consumption by about 13 percent). You can download Freedome for a free trial and find out for yourself if how it can help you control your online privacy. And right now, you can win free annual subscriptions, as well as cool swag (like stylish hoodies) by posting a screenshot showing your blocked tracking attempts to F-Secure’s Facebook wall, or on Instagram with F-Secure tagged. The contest is open till March 23rd, and 5 winners will be randomly drawn after it ends.

March 16, 2016
BY